[v1.7] operator: stop listening on all interfaces for api-server-port

Documentation/install/upgrade.rst

@@ -298,6 +298,17 @@ Annotations:
 
 .. _1.7_required_changes:
 
+IMPORTANT: Changes required before upgrading to 1.7.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. warning::
+
+   Do not upgrade to 1.7.1 before reading the following sections and completing
+   the required steps for both 1.7.0 and 1.7.1.
+
+* ``api-server-port``: This flag, available in cilium-operator deployment only,
+  changed its behavior. The old behavior was opening that port on all interfaces,
+  the new behavior is opening that port on ``127.0.0.1`` and ``::1`` only.
+
 IMPORTANT: Changes required before upgrading to 1.7.0
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

install/kubernetes/cilium/charts/operator/templates/deployment.yaml

@@ -142,6 +142,11 @@ spec:
 {{- end }}
         livenessProbe:
           httpGet:
+{{- if .Values.global.ipv4.enabled }}
+            host: '127.0.0.1'
+{{- else }}
+            host: '[::1]'
+{{- end }}
             path: /healthz
             port: 9234
             scheme: HTTP

install/kubernetes/quick-install.yaml

@@ -1,4 +1,18 @@
 ---
+# Source: cilium/charts/agent/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cilium
+  namespace: kube-system
+---
+# Source: cilium/charts/operator/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cilium-operator
+  namespace: kube-system
+---
 # Source: cilium/charts/config/templates/configmap.yaml
 apiVersion: v1
 kind: ConfigMap
@@ -127,20 +141,6 @@ data:
   enable-well-known-identities: "false"
   enable-remote-node-identity: "true"
 ---
-# Source: cilium/charts/agent/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: cilium
-  namespace: kube-system
----
-# Source: cilium/charts/operator/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: cilium-operator
-  namespace: kube-system
----
 # Source: cilium/charts/agent/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -637,6 +637,7 @@ spec:
         name: cilium-operator
         livenessProbe:
           httpGet:
+            host: '127.0.0.1'
             path: /healthz
             port: 9234
             scheme: HTTP

operator/api.go

@@ -24,9 +24,7 @@ import (
 )
 
 // startServer starts an api server listening on the given address.
-func startServer(addr string, shutdownSignal <-chan struct{}, allSystemsGo <-chan struct{}) {
-	log.Infof("Starting apiserver on address %s", addr)
-
+func startServer(shutdownSignal <-chan struct{}, allSystemsGo <-chan struct{}, addrs ...string) {
 	http.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
 		select {
 		// only start serving the real health check once all systems all up and running
@@ -37,16 +35,46 @@ func startServer(addr string, shutdownSignal <-chan struct{}, allSystemsGo <-cha
 		}
 	})
 
-	srv := &http.Server{Addr: addr}
+	errs := make(chan error, 1)
+	nServers := 0
 
-	go func() {
-		<-shutdownSignal
-		if err := srv.Shutdown(context.Background()); err != nil {
-			log.WithError(err).Error("apiserver shutdown")
+	// Since we are opening this on localhost only, we need to make sure
+	// we can open for both v4 and v6 localhost. In case the user is running
+	// v4-only or v6-only.
+	for _, addr := range addrs {
+		if addr == "" {
+			continue
 		}
-	}()
+		nServers++
+		srv := &http.Server{Addr: addr}
+		errCh := make(chan error, 1)
+
+		go func() {
+			err := srv.ListenAndServe()
+			if err != nil {
+				errCh <- err
+				errs <- err
+			}
+		}()
+		go func() {
+			select {
+			case <-shutdownSignal:
+				if err := srv.Shutdown(context.Background()); err != nil {
+					log.WithError(err).Error("apiserver shutdown")
+				}
+			case err := <-errCh:
+				log.Warnf("Unable to start status api: %s", err)
+			}
+		}()
+		log.Infof("Starting apiserver on address %s", addr)
+	}
 
-	log.Fatalf("Unable to start status api: %s", srv.ListenAndServe())
+	for err := range errs {
+		nServers--
+		if nServers == 0 {
+			log.Fatalf("Unable to start status api: %s", err)
+		}
+	}
 }
 
 func healthHandlerOK(w http.ResponseWriter, r *http.Request) {

operator/main.go

@@ -208,6 +208,10 @@ func kvstoreEnabled() bool {
 		synchronizeNodes
 }
 
+func getAPIServerAddr() []string {
+	return []string{fmt.Sprintf("127.0.0.1:%d", apiServerPort), fmt.Sprintf("[::1]:%d", apiServerPort)}
+}
+
 func runOperator(cmd *cobra.Command) {
 	logging.SetupLogging([]string{}, map[string]string{}, "cilium-operator", viper.GetBool("debug"))
 
@@ -222,7 +226,7 @@ func runOperator(cmd *cobra.Command) {
 
 	log.Infof("Cilium Operator %s", version.Version)
 	k8sInitDone := make(chan struct{})
-	go startServer(fmt.Sprintf(":%d", apiServerPort), shutdownSignal, k8sInitDone)
+	go startServer(shutdownSignal, k8sInitDone, getAPIServerAddr()...)
 
 	if enableMetrics {
 		registerMetrics()